DNS-01 challenge fails


That would be really kind of you! I got no issues with sharing it with you but probably best not to post it on the internet here. Do you have a suggestion or an email address perhaps?


@Darkstar @_az @orangepizza Some are following this issue to its resolution. It this thread still pending ?
Or what led to the resolution?


Hi Az, Rip, sorry I didn’t get back to you Az but I went down another path yesterday and I found the answer! It was in a really old thread, dated back in 2006, and it talks about how to control which view that gets selected when doing a dynamic update of DNS records. And wow do I want to complain to the bind developers about undocumented features and lack of examples! See - https://lists.isc.org/pipermail/bind-users/2006-January/061063.html

Basically in addition to using ACL lists to select what view is used, by the match-client and match-destination parameters, one can also use the keys themselves in these config statements. So in both of my localhost_resolver and my internal views I used the following statements -
view “localhost_resolver”
match-clients { ! key letsencrypt.; localhost; };
match-destinations { ! key letsencrypt.; localhost; };


view “internal” { // What the home network will see
match-clients { ! key letsencrypt.; localnets; localhost; };
match-destinations { ! key letsencrypt.; localnets; localhost; };

These then forces bind to only let certbot use the external view when doing the challenges and that works!

This whole area of using match-clients and match-destinations needs a LOT of help in getting it documented better IMHO. I still do not fully grok it, I don’t really understand what match-destinations is really doing, I think localhost may be matching all interface IP addresses assigned to the host running bind, not just, not at all sure about what localnets really means, nor do I fully understand the priorities and relationships to other related parameters such as allow-updates and update-policies. I am not talking about understanding at a high level either, the devil is in the details and that needs a much clearer explanation than what I am seeing. I think the example of the bind config files, supplied with my distro and probably others as well to be used as a starting point, were very misleading and confusing about views. I am not sure I fully understand the search order bind uses to match and select a view but suspect it is first view that matches in the order defined and not the view that best matches the most restrictive selection criteria. And nowhere, in any of the standard documentation about bind did I find an example or a reference to using keys themselves as a means of selection in the match-clients and match-destinations statements. Perhaps I missed it somehow…

 ever onward,   Marc   :slight_smile: